Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1107
Views
2
Helpful
14
Replies

IOS IPv6 CoPP

Go to solution
cardosocristian
Level 1
Level 1

‎05-09-2024 11:44 AM

I'm trying to configure IPv6 access for a BGP session and I want to control this through CoPP, to have more control plane security on my Cisco router with IOS, I did an initial configuration and it continues to accept connections from IPs that I didn't include in the ACL, follow my test:

 

ipv6 access-list eBGPv6
permit tcp host 2804:DB8:1000::1 eq bgp any
deny ipv6 any any
!

class-map match-all CONTROL-PLANE
match access-group name eBGPv6
!
policy-map COPP
class CONTROL-PLANE
police 8000 1500 conform-action transmit exceed-action drop


control-plane
service-policy input COPP

Does anyone happen to use CoPP and could help me?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harold Ritter
Level 12
Level 12
In response to MHM Cisco World

‎05-09-2024 02:05 PM

Hi @MHM Cisco World ,

ACLs can't be applied at the loopback interface level. This definitely needs to be done at the physical interface level.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

0 Helpful
14 Replies 14

Go to solution
MHM Cisco World
VIP
VIP

‎05-09-2024 11:51 AM

You control rate by CoPP for BGP

What you want to get form this CoPP

MHM

0 Helpful

Go to solution
cardosocristian
Level 1
Level 1

‎05-09-2024 12:04 PM

The idea is to only release this IPv6 2804:DB8:1000::1 to connect to the BGP port of my router

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to cardosocristian

‎05-09-2024 12:07 PM - edited ‎05-09-2024 12:28 PM

Check below link

MHM

Go to solution
Georg Pauwen
VIP
VIP

‎05-09-2024 12:15 PM

Hello,

I think in any case you need to apply the ACL to the neighbor as well:

neighbor <neighbor IPv6 address> filter-list  eBGPv6 in

0 Helpful

Go to solution
cardosocristian
Level 1
Level 1

‎05-09-2024 12:17 PM

Is the idea to apply Control Plane Police to carry out these blockades or is that not what it is for?

Go to solution
MHM Cisco World
VIP
VIP
In response to cardosocristian

‎05-09-2024 12:20 PM

You can apply ACL in interface but what if you have many interfaces 

So the solution is put it back and config CoPP in CPU. 

MHM

0 Helpful

Go to solution
cardosocristian
Level 1
Level 1

‎05-09-2024 12:23 PM

I understood that, I just wanted to understand if my example there is correct or if anyone here has any considerations or configuration examples for me to test and evolve the configuration here, I even used the RFC example and I was unsuccessful.

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to cardosocristian

‎05-09-2024 01:04 PM

Hi @cardosocristian ,

The behavior you are seeing is normal. The traffic that does match the class CONTROL-PLANE will be handle by the class default. You can see that using the "show policy-map control-plane" command.

BTW, CoPP is not the best way to block BGP sessions. I would definitely go with an ACL for that purpose.

Regards,

Regards, 

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
cardosocristian
Level 1
Level 1

‎05-09-2024 01:23 PM

I come from the Juniper world, where I can apply firewall filters, like acl's on the router's loopback that can filter source IP's for the services I want to allow access to, there is something similar in Cisco or the most common is to use ACL's on interfaces directly ?

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to cardosocristian

‎05-09-2024 01:56 PM - edited ‎05-09-2024 02:02 PM

Hi @cardosocristian ,

something similar in Cisco or the most common is to use ACL's on interfaces directly

Yes, configuring the ACL directly on the physical interface would be the recommend approach.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to cardosocristian

‎05-09-2024 02:00 PM

I fast try use ACL under LO and it not work.

So for LO I think you have one option which is use CoPP

MHM

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to MHM Cisco World

‎05-09-2024 02:05 PM

Hi @MHM Cisco World ,

ACLs can't be applied at the loopback interface level. This definitely needs to be done at the physical interface level.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card